Threat modelling - Security Personas

I get real satisfaction out of running threat modelling workshops because after the session I can almost immediately see the results in the changes that get made in design and overhearing some of the conversations had around the security controls our applications need to have in place *before* we build them.

I start threat modelling workshops by leading a discussion about what the term vulnerability actually means, stealing the definition from google:

"The quality or state of being exposed to the possibility of being attacked or harmed".

By that definition vulnerability is being exposed and there is only a unqualified potential of being attacked.

The key point to note to the class is usually an attacker needs to gain something from attacking you. It might be financial gain, something ideological or a just a display of skill and bragging rights. The question is what is their motivation? Why do this?

The exercise of threat modelling will help us learn how we might be vulnerable but also help us understand the threats in terms of who, for what reasons and to what impact an attacker of their ability could have. We can then start to make well reasoned decisions using our limited resources to best defend our people and systems.

When we come to the who part of our threat model having a set of 'security personas' to select from helps us in the exercise of thinking about the types of the people, their abilities and motivations and perhaps look at the likely approach of multiple security personas on the same vulnerability.

When tasked with thinking up some examples the class will often create security personas based on things they've seen or read about security incidents in the media or even in TV series or movies. This means initially your class might be saying we need to prepared to defend against highly skilled hackers or governments so it’s Fsociety or Mossad that are our problem.

This especially for a less technical audience with little to no infosec exposure is reasonable as while we might be security professionals who live and breathe this sort of mental exercise its likely your class does not.

You need to help people learn about the more realistic threats like, insider threats, an integrator getting compromised or the non malicious genuine mistakes made by your staff like security misconfigurations or loosing a company laptop. Once you help them get into it the range of threats the team needs to consider during threat modelling is almost always much wider then they'd probably initially considered.

Unfortunately in my experience during workshops some members of the class will tag a certain person, team, product or vendor they work with (probably not present) as a security persona as in their eyes they are to blame for the vulnerabilities they know about and thus a called out as a threat. This is toxic and from the very outset I make it clear its unacceptable to do this in the workshop.

So how do I overcome these two problems? Well you need to give your workshop an engaging set of characters they can kick off great conversations with, build a story around and then invent a new set of security personas to take forward with them for the rest of the workshop.

For this I’m using sets of images of Funko pop collectible characters and asking the class questions like “Who is this?" and "Whats their skill set" and then "What are their potential motivations?" to help them imagine a story and build a security persona.

Ill give you a few examples and the kind of story we might attribute to a selection of these characters.

Muttley is a high school student. He loves computers, especially other peoples computers. Hes recently got access to some penetration testing tools and is experimenting on public systems using a laptop he fished out of a dumpster. He often scans for unpatched Wordpress and Drupal websites and anything on Shodan with default credentials and then defaces or shuts them down them for a laugh.

This is Loki, he’s a security researcher. Loki loves hacking and will try and make some cash from his research anyway he can. Sometimes he will go through a legitimate channel to sell his discoveries like Bugcrowd or hacker one. But no big deal if he cant get paid by them or the vulnerable company hes talking to .... there are other places to sell vulerabilties to.

This is Grumpy bear.

This is anyone who is mad at you or your company. Could be a customer, a vendor, employee or someone who just doesn't happen to agree with what you do for a living. They might not be a computer expert with offensive capabilities but that wont stop them paying your offices a visit.

Not all threats are external or even malicious.

This is Tony the operations lead at your company. Hes currently busy getting devops sorted in the business (whatever that is) and doing all kinds of neat stuff in AWS while your company moves to the cloud.

Tony has no experience with AWS but convinced moving all the servers to the cloud is basically like a digital data center migration. How hard could it be?

It’s fun for the class to hear the stories their peers invent for your selection of these characters and what kind of resulting security personas get put forward. Perhaps if your leading the class be ready to offer some security personas of your own for a few of the characters if things get stale.

Once you’ve done this you can start to think about these security personas might go about attacking your systems or people.

You can ask questions to spark people’s imagination like “How is Muttley going to be different to Loki at approaching social engineering?” or “What happens when Grumpy bear steals Tonys laptop?” to encourage your workshop to think through various scenarios and hopefully unearth even more vulnerabilities.

I hope this novel way of building security personas helps you either consider the kind of security personas to include in your threat models or in your teaching others to threat model. Its important the process is both engaging and done in a safe positive fashion and I think this approach really works great.

I am always looking for ways to improve the workshops I run and how to engage and teach people about application security, so I was pretty pleased to get this reply to the tweet stream that spawned the blog post from @ladynerd .

I don't think I have seen any of the Tinker Bell movies. So for homework I guess ill be watching them to answer this one and give some consideration to how our own biases could impact the the security personas we create.

If you have any tips or comments on how you help people consider the personas in their threat modelling id love to hear from you. Hit me up on twitter @Sparkleops.